McAfee Endpoint Security Configuration Update

Summary:

It seems like you've provided a comprehensive overview of various data fields and types associated with McAfee ePolicy Orchestrator (ePO) products and related events, including details for different versions of McAfee's Host Intrusion Prevention System (HIPS). Below is a structured summary of the key points from your description: ### Device-Specific Fields These fields are tailored to specific devices or product types involved in security events. They include: - **AgentGUID**: Unique identifier for each agent used by McAfee products on devices. - **GeneratedTime**: Timestamp indicating when the event was generated, which can be crucial for incident response and analysis. - **IPv4/IPv6 Addresses**: Network addresses used in communication between devices. - **MAC Addresses**: Physical network addresses of networked devices. - **Process Names**: Identifies the process on a device involved in the security event. - **User Names**: Accounts associated with actions taken by users on devices connected through McAfee ePO solutions. - **Version Numbers**: Software versions installed on devices that are relevant to the detected threat or action. ### External ID and File Path These fields provide unique identifiers for events: - **ThreatEventID (or AutoID)**: Unique identifier assigned to each event, which helps in tracking and correlating incidents across different systems. - **File Path**: Includes both SourceURL and TargetFileName, depending on whether the file path is related to a source or target during transfer operations. ### Device Product and Action These fields specify the product involved in the event: - **Device Product**: Examples include 'McAfee', 'HIPS', and 'Policy Auditor'. - **Device Action**: Indicates whether an action was blocked (e.g., network traffic not allowed) or permitted, based on security policies enforced by McAfee products. ### Threat Detection This section details the nature of threats detected: - **Threat Category, Threat Name, Threat Severity, Threat Type**: These fields categorize and describe the type of threat encountered during an event. ### Integration with ArcSight ESM The document outlines how these data points are mapped to the appropriate fields in the ArcSight Event Management (ESM) platform: - **Device Product**: Identifies the product involved, which helps in integrating security events across various McAfee ePO solutions and other connected devices. ### Device Actions and Threat Detection Summary - **Action Taken**: 'Blocked' or 'Permitted', based on security policies enforced by McAfee products to protect against potential threats. - **Threat Classification**: Events are categorized into different threat types (e.g., malware, unauthorized access attempts) and assigned a unique identifier for tracking purposes. ### Integration with ArcSight ESM - The provided data fields are mapped to the appropriate fields in the ArcSight ESM platform to facilitate unified monitoring of security events across devices connected through McAfee ePO solutions. ### Device Custom Strings, Event Handling, and Configuration Changes These sections provide detailed information about: 1. **Device Custom Strings**: Specific details for each version of McAfee's Host Intrusion Prevention System (HIPS), including agent versions, time zones, resolutions, product versions, and data handling information. 2. **Event Handling**: Defined event categories based on device types with severity levels and timestamps specific to the type of threat or action detected. 3. **Troubleshooting Tips**: Solutions for common issues such as SQL Server authentication failures on non-Windows platforms and methods to clear accumulated events in SmartConnectors after a restart. 4. **Configuration Changes**: Instructions for adjusting parameters within the McAfee ePO ecosystem using tools like `arcsight connectorsetup` to modify behavior of SmartConnectors, including setting `preservestate` from true (default) to false for event data retention and management. ### Conclusion This document serves as a comprehensive guide for managing and troubleshooting network devices connected through McAfee ePolicy Orchestrator using ArcSight's SmartConnectors in an SIEM environment. It emphasizes the importance of detailed configurations, parameter settings, and continuous monitoring to ensure robust security operations across various McAfee products and connected devices within the enterprise ecosystem.

Details:

The "SmartConnector™ Configuration Guide for McAfee ePolicy Orchestrator DB" is a document that provides detailed instructions and guidelines for configuring the SmartConnector, which facilitates the integration of McAfee products with ArcSight systems. This guide covers various aspects including event types, configuration, installation, and troubleshooting steps specific to different versions and configurations supported by the software. The guide starts with an overview of the product, detailing the compatible McAfee ePO products and versions that it supports. It then moves on to discuss event types, such as HIPS (Host-based Intrusion Prevention System) events, which are crucial for configuring the system's security features. The configuration section provides instructions on controlling logging levels, managing SQL user privileges, and setting up an ODBC data source for better database connectivity. The installation process is thoroughly explained with detailed steps covering everything from enabling FIPS Suite B support to running the SmartConnector itself. There are also sections dedicated to specific events like McAfee Host Data Loss Prevention (HDLP) Events in ePO 4.0/4.5 DB and McAfee GroupShield 4.0, which require unique configurations for proper mapping with ArcSight fields. The document is updated regularly with new features, versions, and corrections as per the latest developments from McAfee and ArcSight. It's recommended to refer to the most recent version of this guide before proceeding with any installation or configuration tasks to ensure that all details are up-to-date and accurate. The document outlines the supported McAfee ePolicy Orchestrator (ePO) versions, products, and events for which the SmartConnector for McAfee ePO can be configured to collect database events in ArcSight. It specifies that Microsoft SQL Server 2000, 2005, and 2008 are supported databases, and it lists various McAfee ePO products including HIPS (Host Intrusion Prevention System), VirusScan Enterprise, Policy Auditor, and Rogue System Detection (RSD) with their respective versions. For each version of the software:

• It describes the events that can be collected such as VirusScan, HIPS 7.0/8.0, RSD 2.0/4.5, Policy Auditor rules, etc.

• It details how to configure and install the SmartConnector for McAfee ePO to import these events into ArcSight's database.

• It specifies which versions of McAfee products are supported under different scenarios as outlined in numbered points.

This guide is crucial for users looking to integrate McAfee ePO with ArcSight, providing a clear mapping between the event types and fields within ArcSight’s database. This document outlines various aspects related to configuring and managing McAfee ePolicy Orchestrator (ePO) for event collection and debugging. It covers parameters for different versions of ePO, including 4.0 and 3.6, as well as specific configurations for ArcSight Confidential SmartConnector for ePO. For ePO 4.0:

• Valid parameters include events collected by McAfee Agent 4.0 (hips), McAfee Desktop Firewall versions 7.5, 8.0, and 8.5.

• For ePO 3.6, the valid parameters are VirusScan Enterprise for virusscan, HIPS events (blockedappevent, ipsevent) in versions 6.0 and 7.0, and Rogue System Detection 1.0.

To configure your ePO agents for event collection, refer to the specific McAfee product documentation. The document also discusses how to control the level of logging in debug logs using the DWORD registry value HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGLEVEL, with options ranging from 1 to 8 based on message types (e.g., level 5 logs e, w, i, x, and E). It also covers the maximum size of log files controlled by HKEY_LOCAL_MACHINE\SOFTWARE\NETWORK ASSOCIATES\EPOLICY ORCHESTRATOR\LOGSIZE. Additionally, it provides guidance on confirming SQL user minimum privileges for authentication to the ePO database, creating an ODBC Data Source for configuring the SmartConnector when using an ODBC driver, and installing the ArcSight SmartConnector avoiding server performance issues. This guide provides instructions for installing the ArcSight SmartConnector for McAfee ePolicy Orchestrator DB on various platforms. It requires local access to the machine where the connector is being installed and administrator passwords. Before installation, ensure that you have downloaded the appropriate executable from the ArcSight Customer Support Site as per the release notes. The process involves: 1. Running the installer. 2. Choosing a folder for installation. 3. Configuring pre-installation settings. 4. Installing the core connector software if necessary. 5. Selecting the destination, which should be ArcSight Manager (encrypted) unless specified otherwise. 6. Entering manager certificate information and host details. 7. Creating valid credentials for ArcSight User Name and Password. 8. Configuring parameters including Database JDBC Driver and URL based on ODBC or JDBC usage. 9. Finalizing the installation with export/import options as necessary, following through to completion of the wizard. 10. Manual configuration post-installation according to SSL certificate type in use by the ArcSight ESM Manager, detailed in the ArcSight ESM Administrator's Guide. This guide also addresses specific scenarios like FIPS compliance and connector appliance usage. This guide provides a detailed walkthrough for configuring and running a SmartConnector for McAfee ePolicy Orchestrator (ePO) version 4.0/4.5 database on an MS SQL Server, specifically addressing the setup process with a focus on event types, service configuration, system restart requirements, and enabling FIPS Suite B support. Key steps include: 1. Entering specific values for the host name, database name, and login credentials. 2. Selecting or deselecting event types from a list including 'virusscan', 'hdlp', 'groupshield', 'hips', 'ipsevent', 'blockedappevent', 'rsd', 'policyauditorrule', 'policyauditorfile', 'eporollup'. 3. Naming the SmartConnector and providing additional details about its purpose. 4. Reviewing a summary of the connector setup to ensure accuracy, making adjustments if necessary. 5. Completing configuration by choosing whether to run the connector as a process or service, with options for defining service parameters. 6. Confirming the setup and system configurations after completion. 7. Restarting the system if required and completing any additional configurations. 8. Enabling FIPS Suite B support by modifying ESM destination parameters in the agent properties file. 9. Running the SmartConnector manually or automatically depending on its installation type, with guidance provided for viewing logs and stopping processes as needed. 10. Mapping device events to appropriate ArcSight fields according to specific connector requirements. The guide also includes instructions for upgrading or uninstalling connectors, as well as information about data field mappings relevant to McAfee Host Data Loss Prevention Events with ePO 4.0/4.5 DB and how they relate to ArcSight ESM fields. The provided information outlines various data fields and their mappings for different types of events related to McAfee ePolicy Orchestrator (ePO), including threat detection, policy auditing, and network activity monitoring. These fields are used by ArcSight ESM, a security information and event management (SIEM) tool, to integrate with McAfee products such as the McAfee GroupShield, HIPS, RSD, and Policy Auditor. **Key Data Fields:**

• **Device-Specific Fields**: Customizable data fields specific to the device or product involved in the event. These include strings like AgentGUID, dates (e.g., GeneratedTime), IPv4/IPv6 addresses, MAC addresses, process names, user names, and versions.

• **External ID**: Unique identifier for each event, such as ThreatEventID or AutoID.

• **File Path**: Can be either SourceURL or TargetFileName, depending on the context of the file transfer.

• **Device Product**: Identifies the product involved in the event; examples include 'McAfee', 'HIPS', and 'Policy Auditor'.

• **Device Action**: Indicates whether an action was taken (e.g., blocked or permitted).

• **Threat Category, Threat Name, Threat Severity, Threat Type**: Provide details about the nature of the threat detected.

• **Transport Protocol**: Specifies the network protocol used for communication between devices (e.g., HTTP, HTTPS).

**Device Actions:**

• The action taken on a device can be categorized as 'blocked' or 'permitted', based on security policies enforced by McAfee products.

**Threat Detection:**

• Events are classified into different threat categories such as malware, unauthorized access attempts, etc., and are assigned unique ThreatEventID.

**Integration with ArcSight ESM:**

• The data fields are mapped to the appropriate fields in the ArcSight ESM platform, facilitating unified monitoring and management of security events across various devices connected through McAfee ePO solutions.

This summary highlights how detailed information about device interactions, network activities, and threat detections can be efficiently managed and analyzed using standardized field mappings within a SIEM tool like ArcSight ESM, integrated with McAfee products for enhanced security operations. The provided document details various fields and types associated with McAfee ePolicy Orchestrator (ePO) products and related events. It includes data for devices, such as the device host name, Mac address, product information, and event categories like threatcateg and evntname. Additionally, it outlines specific details for each version of McAfee's Host Intrusion Prevention System (HIPS), including custom strings, dates, severities, and other fields relevant to the event occurrence and its classification. The document also mentions different versions of ePO products like 'ePolicy Orchestrator', 'Host Intrusion Prevention System', and their respective database connectors ('SmartConnector for McAfee ePolicy Orchestrator' and 'HIPS 7.0 Events with ePO 3.6 DB'). It covers data points including source and destination addresses, host names, process names, user names, timestamps, severities, event categories, custom strings, and more, all categorized under specific fields defined in the ArcSight ESM Field Device-Specific Field or directly mentioned within the context of each product's database connector. This document discusses various aspects related to device management and event handling in a network environment, particularly focusing on devices such as Rogue System Sensor and ePolicy Orchestrator (ePO) within McAfee's ecosystem. It covers definitions, troubleshooting tips, and configurations for SmartConnectors used with these devices. 1. **Device Custom Strings**: These are specific to each device type, providing additional details like agent version, timezone, resolution, etc. For example, the Rogue System Sensor has custom strings that include network name (IPv6), OS description, and time of detection. The ePolicy Orchestrator includes product versions and data handling information. 2. **Event Handling**: Specific event categories are defined based on device types like 'Detected Rogue System by RSD1.0' for rogue systems or 'ePO AntiVirus Scan Event' for virus scan events, each with its own severity levels and timestamps. 3. **Troubleshooting Tips**: For issues related to SQL Server authentication failures on non-Windows platforms, the document advises using Mixed Mode Authentication or configuring credentials directly through the Microsoft SQL Server settings. It also provides a solution for clogging of connectors by setting a parameter called `preservestate` that skips old events and starts from real time when the connector is restarted after being inactive. 4. **Configuration Changes**: Instructions are provided on how to modify the behavior of SmartConnectors using the ArcSight Agent Configuration Tool, specifically through commands like `arcsight connectorsetup` for advanced settings adjustment. This includes changing parameters such as `preservestate` from true (default) to false to clear accumulated events. Overall, this document serves as a guide for managing and troubleshooting network devices connected to McAfee ePolicy Orchestrator using SmartConnectors in ArcSight environments, focusing on detailed configurations and parameter settings within the device management framework.